I find that advanced-video-embed-embed-videos-or-playlists - v1.0 has a local file inclusion vulnerability on Exploit-db. This can be found at: https://www.exploit-db.com/exploits/39646/. I am able to download the exploit and modify it for SSL using the following code.

With this vulnerability, I was able to download both wp-config.php and /etc/passwd. After executing the file, I browsed to: https://192.168.56.102:12380/blogblog/wp-content/uploads/ to see the random id assigned to my file. If you attempt to view this in the browser it will fail because it cannot render a configuration as a jpeg. I pulled down the text with curl.

I am then able to FTP login as Elly and pull down all the sensitive files. The most useful file to pull down is /etc/passwd and use it to ssh bruteforce. Using this, I am able to obtain a a local shell as SHayslett.

Privilege Escalation 2: SUID

Once I have a local shell, I can search for potential vulnerabilities using the Linux Priv Checker. This can be found at: http://www.securitysift.com/download/linuxprivchecker.py. Using this script, I am able to find a world writable cron job.

I am then able to change the world writable cron to my own suid setter file that I will make. I then create and compile that suid program. Once the cron is run, I will have a nice file to execute to get root.

Privilege Escalation 3: Kernel Exploit

Next, I find online the Linux Kernel 4.4.x (Ubuntu 16.04) - 'double-fdput()' in bpf(BPF_PROG_LOAD) at https://www.exploit-db.com/exploits/39772/. I download the exploit, untar the file, compile, and execute the exploit.